Sunday, August 30, 2009

HOWTO : Hiawatha 6.16 web server on Ubuntu 9.04 Server

Hiawatha is a web server which is developed by Hugo Leisink who is in a great interest in IT security. It is designed with security in mind. It comes with Cross-site Scripting (XSS) prevention, Cross-site Request Forgery (CSRF) prevention, DoS/flooding protection, and SQL injection prevention.

It works with PHP and MySQL. Therefore, the LAMP (Linux, Apache, MySQL and PHP) should be renamed to LHMP (Linux, Hiawatha, MySQL and PHP).

Step 0 :

Install Ubuntu 9.04 Server and OpenSSH as usual. Make sure to perform the following.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


Step 1 :

Download Hiawatha, the current version at this writing is 6.16, at http://www.hiawatha-webserver.org/download.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.16.tar.gz
tar -xzvf hiawatha-6.16.tar.gz
cd hiawatha-6.16


Configure and compile the Hiawatha.

sudo apt-get install build-essentail libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev


sudo ./configure
sudo make deb


The deb package will be created at /home/samiux. You can install it by :

sudo dpkg -i hiawatha_6.16_amd64.deb

or
sudo dpkg -i hiawatha_6.16_i386.deb


Step 2 :

Install mysql and php5.

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl


Enter the password for the MySQL and write it down for further usage.

Step 3 :

sudo nano /etc/hiawatha/php-fcgi.conf


Uncomment the following line :

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data


Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf


Kill it with -k, such as :

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf


*Make sure you have been activated php-fcgi; otherwise, php5 cannot be run.

Step 4 :

sudo nano /etc/hiawatha/hiawatha.conf


Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data


Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}


Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24


Uncomment all the entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS.

CGIhandler = /usr/hin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php,php5
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
GCIextension = cgi


Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}


Uncomment all the entries of URL TOOLKIT.

UrlToolkit {
   ToolkitID = banshee
   RequestURI isfile Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}


Uncomment all the entries of VIRTUAL HOSTS and alert it when necessary.

VirtualHost {
   Hostname = www.samiux.com
   WebsiteRoot = /var/www/www.samiux.com
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForGCI = 5
   UseFastCGI = PHP5
   UseToolkit = banshee
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
}


Assumed that your domain name is samiux.com and the site is at /var/www/www.samiux.com.

Step 5 :

sudo nano /etc/php5/cgi/php.ini


Change the following line to Off.

allow_url_fopen = Off


Step 6 :

Restart the Hiawatha.

sudo /etc/init.d/hiawatha restart


Step 7 :

Use AppArmor with Hiawatha.

sudo aa-genprof hiawatha


sudo nano /etc/apparmor.d/usr.sbin.hiawatha


Add the following lines.

#include <tunables/global>
/usr/sbin/hiawatha {
   #include <abstractions/base>
   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,
   network inet tcp,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/ r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid w,
   /var/www/ r,
   /var/www/** rw,
   /home/*/public_html/** r,
}


Make it enforce.

sudo aa-enforce hiawatha


That's all. See you!

Tuesday, August 18, 2009

HOWTO : Quota with ext4 on Ubuntu 9.04 Server

There is a bug in quota package when filesystem is ext4 in Ubuntu 9.04 Server. You cannot activate quota function under ext4 on Ubuntu 9.04. However, we can use Ubuntu 9.10's package instead. It is in alpha stage at the moment.

Step 1 :

Download the package at here and the current version is 3.17-3 by this writing.

Install the package and configure the package as usual.

sudo dpkg -i <package_name>


Step 2 :

Edit /etc/fstab and add "usrquota,grpquota" on the partition with the mount point /.

sudo touch /quota.user /quota.group
sudo chmod 600 /quota.*
sudo mount -o remount /


Step 3 :

sudo quotacheck -avugm
sudo quotaon -avug


That's all. See you!

Saturday, August 15, 2009

HOWTO : Torrentflux-b4rt with Cherokee on Ubuntu 9.04 Server

I am going to build a Bittorrent server with Cherokee web server instead of Apache. I call it as LCMP - Linux, Cherokee, MySQL and PHP. It may be the fastest web server in the world so far. You are not require to edit the config files. All settings are completed by your browser.

Bittorrent server front-end is using Torrentflux-b4rt. It is running on PHP and MySQL with bittornado.

Step 0 :

Install Ubuntu 9.04 Server edition as usual. Select OpenSSH only when install.

After the installation, perform the system update.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


Assume your server's IP is 192.168.0.200

Step 1 :

sudo nano /etc/apt/sources.list.d/cherokee.list


Add the following lines.

deb http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main


Add the key.

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EBA7BD49


sudo apt-get update
sudo apt-get install cherokee




Step 2 :

sudo apt-get install mysql-server mysql-client


Enter the MySQL root password when asked. Make sure you have write it down.

Step 3 :

sudo apt-get install php5-cgi


sudo nano /etc/php5/cgi/php.ini


Append the following line at the end of the file.

cgi.fix_pathinfo = 1


sudo /etc/init.d/cherokee restart


sudo apt-get install php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl


sudo /etc/init.d/cherokee restart


Step 4 :

sudo cherokee-admin -b


The following will be displayed.

Login:
User: admin
One-time Password: W0K2jR961aYaeiwu


Web Interface:
URL: http://localhost:9090/


Cherokee Web Server 0.99.22 (Aug 5 2009): Listening on port ALL:9090, TLS disabled, IPv6 disabled, using epoll, 4096 fds system limit, max. 2041 connections, caching I/O, single thread


Open browser and point to http://192.168.0.200:9090 or http://localhost:9090

Enter the user name as "admin" and password as "W0K2jR961aYaeiwu" (which will be changed each time).

Step 5 :

Clone a virtual host from default. Add the domain name, document root and etc.

The document root should be "/var/www/torrentflux".

Go back to the terminal and press Ctrl + C to quit the Cherokee's admin page.

sudo /etc/init.d/cherokee restart


Step 6 :

sudo apt-get install unrar unzip vlc uudeview build-essential bittornado


Download and compile cksfv that is required by torrentflux-b4rt.

wget http://zakalwe.fi/~shd/foss/cksfv/files/cksfv-1.3.14.tar.bz2
tar -xjvf cksfv-1.3.14.tar.bz2


cd cksfv-1.3.14
./configure
make
sudo make install


Get and install torrentflux-b4rt.

wget http://download.berlios.de/tf-b4rt/torrentflux-b4rt_1.0-beta2.tar.bz2
tar -xjvf torrentflux-b4rt_1.0-beta2.tar.bz2


cd torrentflux-b4rt_1.0-beta2
sudo cp -R html /var/www/torrentflux
sudo chmod -R 0777 /var/www/torrentflux/inc/config


sudo mkdir /home/samiux/torrent
sudo chmod -R 0777 /home/samiux/torrent


Step 7 :

Point your browser to http://192.168.0.200/setup.php and configure it.

** You keyin the username and password on the torrentflux-b4rt will be recorded for the admin account. Please write it down.

The download directory should be "/home/samiux/torrent".

After the configuration, delete the setup.php.

sudo rm /var/www/torrentflux/setup.php


Step 8 :

Make sure to forward the default ports 49160 to 49300 at your router or firewall.

Step 9 (Optional) :

Install vsftpd when necessary.

** Make sure you change the IP address at "pasv_address".

Step 10 (Optional) :

Make your server bootless.


That's all. See you!